PT-2017-13966 · October · October Cms

Ishaq Mohammed

Published

2017-10-12

Updated

2022-05-13

CVE-2017-15284

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions OctoberCMS version 1.0.425

Description The issue allows a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account.

Recommendations For OctoberCMS version 1.0.425, consider restricting the upload of SVG files or disabling the ability to set custom Avatars until a fix is available. Additionally, restrict access to the profile management feature to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2017-15284

GHSA-GVGF-FP4M-2HW6

Affected Products

October Cms

PT-2017-13966 · October · October Cms

CVE-2017-15284

Weakness Enumeration

Related Identifiers

Affected Products

References · 7